PatchSiren cyber security CVE debrief

CVE-2017-3369 Oracle CVE debrief

CVE-2017-3369 is a high-severity Oracle E-Business Suite iSupport vulnerability affecting versions 12.1.1, 12.1.2, and 12.1.3. Oracle and NVD describe it as network-reachable over HTTP, unauthenticated, and requiring human interaction, with potential impact to confidentiality and integrity of iSupport data.

Vendor: Oracle
Product: CVE-2017-3369
CVSS: HIGH 8.2
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-27
Original CVE updated: 2026-05-13
Advisory published: 2017-01-27
Advisory updated: 2026-05-13

Who should care

Oracle E-Business Suite administrators, security teams, and application owners running iSupport 12.1.1, 12.1.2, or 12.1.3, especially where the service is reachable over HTTP.

Technical summary

The supplied NVD record lists CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N and marks Oracle iSupport 12.1.1, 12.1.2, and 12.1.3 as vulnerable CPEs. The CVE text says successful attacks can result in unauthorized access to critical data or complete access to all Oracle iSupport-accessible data, plus unauthorized update, insert, or delete access to some data. The NVD weakness field is NVD-CWE-noinfo, and the Oracle CPU January 2017 advisory is cited as the vendor patch/reference source.

Defensive priority

High. Prioritize remediation for any deployment of the affected iSupport versions, particularly if externally reachable or widely used. Because the attack path requires human interaction, reducing exposure and applying Oracle's remediation guidance are both important.

Recommended defensive actions

Inventory Oracle E-Business Suite iSupport deployments and confirm whether any instance runs version 12.1.1, 12.1.2, or 12.1.3.
Review and apply the Oracle January 2017 CPU guidance referenced in the NVD record for vendor remediation.
Restrict HTTP access to iSupport to trusted networks and users while remediation is in progress.
Monitor iSupport-related activity for unexpected access patterns and unauthorized data changes.
Validate that remediation and compensating controls are deployed across all environments that use the affected component.

Evidence notes

This debrief is based on the supplied CVE description and the NVD record. The record identifies Oracle iSupport as the affected component, lists vulnerable versions 12.1.1/12.1.2/12.1.3, and provides the CVSS vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. The Oracle CPU January 2017 advisory appears in the NVD references as the vendor patch/advisory source. The NVD weakness field is recorded as NVD-CWE-noinfo.

Official resources

CVE-2017-3369 CVE record
CVE.org
CVE-2017-3369 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Source reference
[email protected]
Source reference
[email protected]

Published by CVE/NVD on 2017-01-27T22:59:05.943Z. The supplied record was later modified on 2026-05-13T00:24:29.033Z; that modified timestamp is not the original disclosure date.